Search This Blog

Friday, December 20, 2013

Target data theft fuels new worries on cybersecurity

As millions of bargain-crazed customers swarmed through
Target stores on Black Friday, one of the most audacious heists in retail
history was quietly underway.

A band of cyberthieves pilfered credit and debit card
information from the giant retailer's customers with pinpoint efficiency as
shoppers bought discounted sweaters and electronic gear on the unofficial
launch of the holiday shopping season.

By the time the scheme was discovered, the unidentified
hackers had made off with financial data of 40 million Target customers over a
21/2-week period. It ranks as one of the nation's biggest retail cybercrimes on
record.

Target disclosed the security breach Thursday, saying the
thieves had purloined customer names, card numbers and a security code
encrypted in the magnetic strip. The theft enables the culprits to make phony
credit cards, make fraudulent purchases or siphon money from bank accounts.

The data breach underscored the evolving sophistication of
cybercriminals and the persistent vulnerability of retailers and consumers
despite dozens of past incidents at major retailers.

“How do you get 40 million credit cards and no one knows
about it?” said Ken Stasiak, chief executive of SecureState, which investigates
cybercrimes. “That's a hell of a lot of credit cards. There should have been
someone inside the company who spotted this much sooner.”

The Target attack appeared to be well thought out and
executed with great precision.

The Minneapolis retailer said the hack occurred between Nov.
27, just before the annual holiday shopping frenzy, and Dec. 15. The breach
affects people who bought goods at any of Target's 1,797 stores nationwide, but
doesn't affect those who made purchases online.

The scope of the Target attack suggested that criminals
might have gained access to encrypted customer information on a central
database, security experts said. Another theory is that they sent malware-laden
email to Target employees that spread through the retailer's network once those
emails were opened.

“Whoever did this is pretty sophisticated — it's most likely
not some teenager sitting in his room,” said Peter Toren, a former prosecutor
with the Department of Justice's IP and Computer Crimes division.

Target didn't give any details about how the scheme may have
been carried out. The Secret Service said it is investigating. Banks and credit
card companies rushed to assure customers that they would not be liable for any
fraudulent transactions.

Customers who think they may be affected should scrutinize
card statements and free online credit reports for suspicious behavior, experts
said.

The Target fiasco could cost consumers $4.1 billion, almost
all from potential debit card losses. Beyond that, victims collectively could
spend as many as 131 million hours getting their accounts in order, according
to Javelin Strategy & Research.

The theft of credit card data is a highly lucrative
business. Criminals either manufacture counterfeit cards, resell the data on
underground forums or make fraudulent online purchases themselves.

Corporate America has made progress in thwarting cybercrime,
but many companies still devote insufficient money and resources, experts said.

“We're seeing massive data breaches frequently due to
low-hanging type of security problems,” said Andrea Matwyshyn, a University of
Pennsylvania law professor who specializes in computer security.
“Traditionally, questions of information security have been viewed by many
companies as something that the IT department does, and that is a cultural
mindset problem that is at the root” of some of the problems.

The heist intensified a debate about consumer privacy at a
time when the value of personal financial information has skyrocketed.

Major businesses increasingly gather and analyze information
about customer demographics and buying habits in a strategy known as data
mining. The goal often is to personalize product pitches to reach customers
more effectively.

“Personal data is king to merchants, to retailers, to banks,
to the NSA and to organized-crime groups all over the world,” said Mark Rasch,
an attorney and expert in computer security in Bethesda, Md.

Giant retailers and credit card payment processors have been
frequent targets of cyberthieves.

This summer, federal officials said that a ring of Russian
and Ukranian hackers stole 160 million credit card numbers — targeting
retailers such as JCPenney and 7-Eleven — over several years and used the data
to filch millions of dollars.

In 2007, T.J. Maxx and Marshalls parent company TJX Cos.
said hackers had entered its computer systems — where at least 45 million
credit and debit card accounts were on file. The hackers had access to the
system for more than a year before being detected.

TJX agreed in 2009 to pay $9.75 million to 41 states,
including California, to settle a probe of the breach.

The size and scope of the Target attack raised questions for
many in the security community about how robust its defenses are and how
vigilant the company in terms of watching for clues that a breach had occurred.

The company may face consumer lawsuits and government fines
“if it turns out that their security was lax and they were negligent,” Toren
said.

Late Thursday, Target was sued by a customer in federal
court in California, according to Bloomberg.

Now that Target and authorities are on to the scheme, the
culprits are likely to rush to capitalize on the stolen information. Shoppers
making massive last-minute purchases before Christmas could discover a nasty
surprise.

“The shelf life of those cards is down to days,” said Alex
Moss, managing partner at security consulting firm Conventus. “If consumers'
data was compromised, they could find their card balances maxed out very
quickly, and then they're stuck until the investigation is over. That could put
a huge portion of people in a tight spot, particularly during the holiday
season.”

But consumers will likely go on shopping — carefully,
analysts said.

Shopper Phil Schneider, 63, said he visits the City Target
near his downtown workplace two or three times a week. He doesn't plan to go
any less often — if there's evidence of spending that isn't his, he said he's
sure Target “will make good on it.”

“I don't blame anybody, but I'm shaking my head,” he said.
“Target's not some fly-by-night company — they're a good firm.

“And that's my concern — how something like this can happen.
It just scares the bejesus out of me. We're all connected by the Internet.”